<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html 
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Module: ActionView::Helpers::SanitizeHelper</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="Content-Script-Type" content="text/javascript" />
  <link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" />
  <script type="text/javascript">
  // <![CDATA[

  function popupCode( url ) {
    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
  }

  function toggleCode( id ) {
    if ( document.getElementById )
      elem = document.getElementById( id );
    else if ( document.all )
      elem = eval( "document.all." + id );
    else
      return false;

    elemStyle = elem.style;
    
    if ( elemStyle.display != "block" ) {
      elemStyle.display = "block"
    } else {
      elemStyle.display = "none"
    }

    return true;
  }
  
  // Make codeblocks hidden by default
  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
  
  // ]]>
  </script>

</head>
<body>



    <div id="classHeader">
        <table class="header-table">
        <tr class="top-aligned-row">
          <td><strong>Module</strong></td>
          <td class="class-name-in-header">ActionView::Helpers::SanitizeHelper</td>
        </tr>
        <tr class="top-aligned-row">
            <td><strong>In:</strong></td>
            <td>
                <a href="../../../files/vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper_rb.html">
                vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb
                </a>
        <br />
            </td>
        </tr>

        </table>
    </div>
  <!-- banner header -->

  <div id="bodyContent">



  <div id="contextContent">

    <div id="description">
      <p>
The <a href="SanitizeHelper.html">SanitizeHelper</a> module provides a set
of methods for scrubbing text of undesired HTML elements. These helper
methods extend ActionView making them callable within your template files.
</p>

    </div>


   </div>

    <div id="method-list">
      <h3 class="section-bar">Methods</h3>

      <div class="name-list">
      <a href="#M000935">included</a>&nbsp;&nbsp;
      <a href="#M000936">sanitize</a>&nbsp;&nbsp;
      <a href="#M000937">sanitize_css</a>&nbsp;&nbsp;
      <a href="#M000939">strip_links</a>&nbsp;&nbsp;
      <a href="#M000938">strip_tags</a>&nbsp;&nbsp;
      </div>
    </div>

  </div>


    <!-- if includes -->

    <div id="section">





      


    <!-- if method_list -->
    <div id="methods">
      <h3 class="section-bar">Public Class methods</h3>

      <div id="method-M000935" class="method-detail">
        <a name="M000935"></a>

        <div class="method-heading">
          <a href="#M000935" class="method-signature">
          <span class="method-name">included</span><span class="method-args">(base)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000935-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000935-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 9</span>
 9:       <span class="ruby-keyword kw">def</span> <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">included</span>(<span class="ruby-identifier">base</span>)
10:         <span class="ruby-identifier">base</span>.<span class="ruby-identifier">extend</span>(<span class="ruby-constant">ClassMethods</span>)
11:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <h3 class="section-bar">Public Instance methods</h3>

      <div id="method-M000936" class="method-detail">
        <a name="M000936"></a>

        <div class="method-heading">
          <a href="#M000936" class="method-signature">
          <span class="method-name">sanitize</span><span class="method-args">(html, options = {})</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
This <a href="SanitizeHelper.html#M000936">sanitize</a> helper will html
encode all tags and strip all attributes that aren&#8216;t specifically
allowed. It also strips href/src tags with invalid protocols, like
javascript: especially. It does its best to counter any tricks that hackers
may use, like throwing in unicode/ascii/hex values to get past the
javascript: filters. Check out the extensive test suite.
</p>
<pre>
  &lt;%= sanitize @article.body %&gt;
</pre>
<p>
You can add or remove tags/attributes if you want to customize it a bit.
See <a href="../Base.html">ActionView::Base</a> for full docs on the
available options. You can add tags/attributes for single uses of <a
href="SanitizeHelper.html#M000936">sanitize</a> by passing either the
:attributes or :tags options:
</p>
<p>
Normal Use
</p>
<pre>
  &lt;%= sanitize @article.body %&gt;
</pre>
<p>
Custom Use (only the mentioned tags and attributes are allowed, nothing
else)
</p>
<pre>
  &lt;%= sanitize @article.body, :tags =&gt; %w(table tr td), :attributes =&gt; %w(id class style)
</pre>
<p>
Add table tags to the default allowed tags
</p>
<pre>
  Rails::Initializer.run do |config|
    config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
  end
</pre>
<p>
Remove tags to the default allowed tags
</p>
<pre>
  Rails::Initializer.run do |config|
    config.after_initialize do
      ActionView::Base.sanitized_allowed_tags.delete 'div'
    end
  end
</pre>
<p>
Change allowed default attributes
</p>
<pre>
  Rails::Initializer.run do |config|
    config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
  end
</pre>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000936-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000936-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 51</span>
51:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>, <span class="ruby-identifier">options</span> = {})
52:         <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">white_list_sanitizer</span>.<span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>, <span class="ruby-identifier">options</span>)
53:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000937" class="method-detail">
        <a name="M000937"></a>

        <div class="method-heading">
          <a href="#M000937" class="method-signature">
          <span class="method-name">sanitize_css</span><span class="method-args">(style)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Sanitizes a block of css code. Used by <a
href="SanitizeHelper.html#M000936">sanitize</a> when it comes across a
style attribute
</p>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000937-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000937-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 56</span>
56:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">sanitize_css</span>(<span class="ruby-identifier">style</span>)
57:         <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">white_list_sanitizer</span>.<span class="ruby-identifier">sanitize_css</span>(<span class="ruby-identifier">style</span>)
58:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000939" class="method-detail">
        <a name="M000939"></a>

        <div class="method-heading">
          <a href="#M000939" class="method-signature">
          <span class="method-name">strip_links</span><span class="method-args">(html)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Strips all link tags from <tt>text</tt> leaving just the link text.
</p>
<h4>Examples</h4>
<pre>
  strip_links('&lt;a href=&quot;http://www.rubyonrails.org&quot;&gt;Ruby on Rails&lt;/a&gt;')
  # =&gt; Ruby on Rails

  strip_links('Please e-mail me at &lt;a href=&quot;mailto:me@email.com&quot;&gt;me@email.com&lt;/a&gt;.')
  # =&gt; Please e-mail me at me@email.com.

  strip_links('Blog: &lt;a href=&quot;http://www.myblog.com/&quot; class=&quot;nav&quot; target=\&quot;_blank\&quot;&gt;Visit&lt;/a&gt;.')
  # =&gt; Blog: Visit
</pre>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000939-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000939-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 89</span>
89:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">strip_links</span>(<span class="ruby-identifier">html</span>)
90:         <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">link_sanitizer</span>.<span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>)
91:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>

      <div id="method-M000938" class="method-detail">
        <a name="M000938"></a>

        <div class="method-heading">
          <a href="#M000938" class="method-signature">
          <span class="method-name">strip_tags</span><span class="method-args">(html)</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Strips all HTML tags from the <tt>html</tt>, including comments. This uses
the html-scanner tokenizer and so its HTML parsing ability is limited by
that of html-scanner.
</p>
<h4>Examples</h4>
<pre>
  strip_tags(&quot;Strip &lt;i&gt;these&lt;/i&gt; tags!&quot;)
  # =&gt; Strip these tags!

  strip_tags(&quot;&lt;b&gt;Bold&lt;/b&gt; no more!  &lt;a href='more.html'&gt;See more here&lt;/a&gt;...&quot;)
  # =&gt; Bold no more!  See more here...

  strip_tags(&quot;&lt;div id='top-bar'&gt;Welcome to my website!&lt;/div&gt;&quot;)
  # =&gt; Welcome to my website!
</pre>
          <p><a class="source-toggle" href="#"
            onclick="toggleCode('M000938-source');return false;">[Source]</a></p>
          <div class="method-source-code" id="M000938-source">
<pre>
    <span class="ruby-comment cmt"># File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 74</span>
74:       <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">strip_tags</span>(<span class="ruby-identifier">html</span>)     
75:         <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">class</span>.<span class="ruby-identifier">full_sanitizer</span>.<span class="ruby-identifier">sanitize</span>(<span class="ruby-identifier">html</span>)
76:       <span class="ruby-keyword kw">end</span>
</pre>
          </div>
        </div>
      </div>


    </div>


  </div>


<div id="validator-badges">
  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>

</body>
</html>